Security breach

[labratofel]

First of all: great product.

Now that's out of the way please allow me to tear you a new one.

Your "faq" and email states that the attack was blocked. It clearly was not. If it was blocked I would not be waking up to your email.

It would have been even better if you had not locked the FAQ thread so I (and no doubt others) wouldn't be about to create 1000 threads with the same content.

I am extremely dissatisfied that my personal information has been left vulnerable because of your lax security.

I bet I am not the only one.

[radioactivity]

Agreed, blocked is not the same as "they have your email". Also the passwords, where they just MD5 hashes or where they salted?

Please delete my account.

It's not open to discussion.

Thanks.

[mupet0000]

Yeah we need to know more about the password leak, you try to play it down in your FAQ but you recommend changing it on other forums, tell us more.

[jaromanda]

wow ... drama llama's are in season

Quote:

Originally Posted by mupet0000

Yeah we need to know more about the password leak, you try to play it down in your FAQ but you recommend changing it on other forums, tell us more.

you'd be a grade a moron to use the same password on two sites, and deserve everything that befalls you


The FAQ is quite clear ...

breach detected and stopped ...
RECOMMEND you change your password (covering their arses) ...
Also, if you're a brain dead retard and use the same password on other sites, best you change that password as well

I can't see what more could be said

I've not used this forum in years and luckily the password was one I no longer use.

However the email I received said "your email address was exposed as a result of the attack", if it was just my email address why tell me to change my password?

Was it more than just email addresses that were exposed? Is it a hash that someone has their hands on or is it more than you're letting on?

[jaromanda]

Quote:

Originally Posted by newmeja

I've not used this forum in years and luckily the password was one I no longer use.

However the email I received said "your email address was exposed as a result of the attack", if it was just my email address why tell me to change my password?

Was it more than just email addresses that were exposed? Is it a hash that someone has their hands on or is it more than you're letting on?

surely it's better to err on the side of caution

I for one respect the fact that I was contacted about this - if they were sure passwords were not compromised, they could've remained silent about it and nobody would know any different - may get some more spam, but my wife wants my dick bigger and stay hard longer, so it's win win

Quote:

Originally Posted by jaromanda

surely it's better to err on the side of caution

Oh don't get me wrong, disclosure is good and I'm glad they've come forward.

My email address is already all over the Internet so I'm not too upset, I would just like absolute confirmation that nothing else was breached.

[Third_of_Five]

So were passwords stored in the DB as plain text?

[jaromanda]

Quote:

Originally Posted by newmeja

Oh don't get me wrong, disclosure is good and I'm glad they've come forward.

My email address is already all over the Internet so I'm not too upset, I would just like absolute confirmation that nothing else was breached.

I think all the info they're prepared to release was in the email

[Third_of_Five]

Ok so they blocked an attack on the DB, entirely or only in part? How long did the attackers get access to the DB before they were blocked. If they did get access to the DB then surely more than just email address obtained.

[jaromanda]

Quote:

Originally Posted by Third_of_Five

Ok so they blocked an attack on the DB, entirely or only in part? How long did the attackers get access to the DB before they were blocked. If they did get access to the DB then surely more than just email address obtained.

change your passwords

change any passwords that are identical on other sites

move on with your life


how hard is that?

The fact is the email addresses were stolen.. I don't care about this stupid Winamp account password, but I do care about my private email and spam!

I want my account deleted as well (havent used it since 2003 anyway.) Please delete it or let me know how to. Cant find the option anywere, not even in the help section.

[jaromanda]

Quote:

Originally Posted by nik_bloemers

I want my account deleted as well (havent used it since 2003 anyway.) Please delete it or let me know how to. Cant find the option anywere, not even in the help section.

did you read the FAQ link posted in the email?

[jaromanda]

here ... let me read it for you

5) How can I delete my account?

We understand how important trust is on the web, and some of you may wish to delete your Winamp Forums account. To delete your account make sure that you are logged into the Winamp Forums and follow these simple instructions:

Scroll down to the bottom of the forum home page and click on View Forum Leaders. Scroll down to the Root section to see the list of Administrators. Send your deletion request to DJ Egg or DrO using the contact link to the right of the administrator's name. The Administrator will delete your account upon receiving the private request message and send you a confirmation email once the account is deleted.

[Third_of_Five]

Quote:

Originally Posted by jaromanda

how hard is that?

About as hard as it is for you to STFU. If you don't want to answer the question that was asked, then don't answer at all.

[DrO]

will everyone keep it in check please, especially telling people to STFU is not helpful.

as for the questions raised, i'm not going to answer them as i do not know the complete answer and so do not want to spread mis-information. as such what is officially provided is all there is to know on the matter though there may be further clarification (but i do not know and cannot confirm about that).

-daz

[labratofel]

The only reasonable thing you have posted in this thread jarorama is everything from "my wife wants" in post #7.

You're not site admin, let them tell me what the breach was, what was taken (I understand databases and SQL injection so I sincerely doubt all they did was

code:
SELECT email FROM usertable WHERE 1;

edit: sorry mod, you posted while I was constructing this post.

[jaromanda]

Quote:

Originally Posted by Third_of_Five

About as hard as it is for you to STFU. If you don't want to answer the question that was asked, then don't answer at all.

I believe I've answered the question

no need to get your panties in a bunch, sweetheart

[jaromanda]

Quote:

Originally Posted by labratofel

The only reasonable thing you have posted in this thread jarorama is everything from "my wife wants" in post #7.

You're not site admin, let them tell me what the breach was, what was taken (I understand databases and SQL injection so I sincerely doubt all they did was

code:
SELECT email FROM usertable WHERE 1;

edit: sorry mod, you posted while I was constructing this post.

but ... I can READ emails, and READ the FAQ ... so I UNDERSTAND

I've admined fora over the years, and know what will and wont be disclosed by 99 out of a 100 admins in such circumstances

but, right now, I'll let the drama llama's carry on their whinging and whining

[Third_of_Five]

Quote:

Originally Posted by DrO

will everyone keep it in check please, especially telling people to STFU is not helpful.

And neither is all the bull crap he is spouting, nor did I tell him/her to STFU, I was making an observation, which not the same thing. People like him/her are the bane of forums.

If there was any amount of access to the DB, it is not unreasonable to assume it was more than just emails that were stolen.

[jaromanda]

Quote:

Originally Posted by Third_of_Five

And neither is all the bull crap he is spouting, nor did I tell him/her to STFU, I was making an observation, which not the same thing. People like him/her are the bane of forums.

they're called facts, sweetheart

I'll stop if I'm told I'm doing anything wrong by admins ... not by someone who made two posts 4 years ago and hasn't been back since

thanks for your input, though, sweetheart

Quote:

Originally Posted by Third_of_Five

If there was any amount of access to the DB, it is not unreasonable to assume it was more than just emails that were stolen.

yeah, encrypted passwords and all the info you put on your PUBLIC profile page too ... oh noes, they got info you already made public!!! what to do what to do!!!

interesting observation ... the biggest DOOMSAYERS have less than 5 posts on the forum before today

just saying is all

[Batter Pudding]

Thanks to the admins at being honest here. Okay, that is a legal requirement when you get your database stolen, but how many other forums get quietly hacked and then everything covered up in secrecy?

Can I make a small suggestion? Any chance of making the "Contact an Admin" links a little easier to find? When I dropped by this website on Jan 8th at 20:47 hrs GMT NOD32 blocked a connection to ciriso9********/multi/jnaojtgpizin.jar (Don't be stupid enough to follow that link, I am typing it here purely as an example...) If I could have found a way to easily contact an Admin, I would have reported this. Trouble is, it was not clear how to report anything so instead of wading around an infected website I ran away.

Oh - and nice to see NOD32 in action. Often sit in all kinds of silly debates about the qualities of different AV products, and it is always fun to see NOD32 getting the gloves off.

Edit:Oooo - now that is nice to see. I typed the URL above of the virus that tried to hump my PC on that day. And now I see the domain name gets blocked. I think this is the same virus that got the BBC website ( http://www.theregister.co.uk/2011/02...veby_download/ ) From that nice place the cocos islands.

If the BBC, with its huge site and cash investments gets nailed, then I think Winamp Admins can be forgiven.

[Third_of_Five]

Your nothing more than a Troll jaromanda.

[labratofel]

Must.. not.. feed.. the.. troll..

I have used Winamp for more years than I care to remember. Just because I haven't posted much doesn't mean that I don't know what I am talking about.

*expletive deleted* happens - I understand that. I just want clarification as to what was lost so I can assess the potential damage. I don't want some nobody from Deservesakicking, Illinois telling me what I should think.

Edit: I just looked over my very small posting history and saw one of my original posts that I joined the forum to create. It was a step by step guide to show people how to get shoutcast running as a Windows service.

Speak little, but when you do make sure the message is useful.

Maybe you should try that.

[Third_of_Five]

Quote:

Originally Posted by jaromanda

I'll stop if I'm told I'm doing anything wrong by admins ... not by someone who made two posts 4 years ago and hasn't been back since

You were told to keep it in check, which you seem incapable of comprehending or doing.

Quote:

interesting observation ... the biggest DOOMSAYERS have less than 5 posts on the forum before today

Did I mention DOOM? All I have done is question the statement that only our emails were leaked. All you have done is be disrespectful and unhelpful in nearly all your posts.

[jaromanda]

Quote:

Originally Posted by labratofel

*expletive deleted* happens - I understand that. I just want clarification as to what was lost so I can assess the potential damage. I don't want some nobody from Deservesakicking, Illinois telling me what I should think.

you were told in the email

1) email address, stolen

2) suggest you change password

3) change password on other sites if same as here

all other possible stolen info is already public in your profile ... so it's not really stolen, is it


from 1) you MAY get spam ... I'm sure you do already

from 2) you change your password, no big deal

from 3) if applicable, you learn not to use the same password on different sites

not sure what else you want? class action lawsuit?

[jaromanda]

Quote:

Originally Posted by Third_of_Five

You were told to keep it in check, which you seem incapable of comprehending or doing.

no, sweetheart, that was directed at you .... telling someone to STFU is rude

Please, Mr 4 posts, don't think you can tell me what to do on this forum ... I'll take direction from admin/moderators ... but not from Chicken "the sky is falling" Little

Quote:

Originally Posted by Third_of_Five

Did I mention DOOM? All I have done is question the statement that only our emails were leaked. All you have done is be disrespectful and unhelpful in nearly all your posts.

read post above ... clearly the passwords would be stolen, but encrypted, so that's why it was recommended you change your password here

all other info possibly "stolen" was clearly visible in your public profile here ... so ... you going to sue AOL for leaking information you gave out willingly and publicly?

read my sig .... and take into consideration I'm also modest

[labratofel]

Information in your profile could include your web address.

A whois search could then reveal your real name *edit* and address. Not Winamp's fault but a link in a chain.

The date of birth could be stored in the forum database so they can send you birthday greetings. It doesn't have to appear on your profile page ("Hide age and date of birth").

Now I potentially have a name, address, email and a date of birth. A little social engineering and I can get access to your ICQ account. Then I can take over the world. Or something.

It's been done before. Just not by me.

[Third_of_Five]

Quote:

Originally Posted by jaromanda

no, sweetheart, that was directed at you .... telling someone to STFU is rude

Both those statements are incorrect. Keep it in check was directed at everyone. I did not tell you to stfu, I made an observation / a comparison which is not the same. You however continue to be disrespectful, clearly you get some kind of kick out of it, which says a lot.

Quote:

read post above ... clearly the passwords would be stolen, but encrypted, so that's why it was recommended you change your password here

It's not clear the passwords were stolen at all. And how do you know the passwords are encrypted? You don't.

[jaromanda]

Quote:

Originally Posted by labratofel

I can get access to your ICQ account. Then I can take over the world.

ROFL

see

a little humour never hurt

[jaromanda]

Quote:

Originally Posted by Third_of_Five

Both those statements are incorrect. Keep it in check was directed at everyone. I did not tell you to stfu, I made an observation / a comparison which is not the same. You however continue to be disrespectful, clearly you get some kind of kick out of it, which says a lot.
.

how was I disrespectful to you before you told me to STFU (I didn't say you told me, admin did)

Quote:

Originally Posted by Third_of_Five

It's not clear the passwords were stolen at all.

so why were you told to change them?

Quote:

Originally Posted by Third_of_Five

And how do you know the passwords are encrypted? You don't.

I'm the one that stole the database useless to me because the passwords are encrypted

- or -

I know a lot more about this forum than johnny come seldoms

code:
$password_hash = md5(md5($password_text) . $user_salt);

sorry, I said encrypted ... but 99% of n00bs wouldn't understand "hashed"

[Third_of_Five]

Quote:

Originally Posted by jaromanda

how was I disrespectful to you before you told me to STFU (I didn't say you told me, admin did)

Waste of effort conversing with you as there seems some kind of language barrier, as you continually misinterpret plain English, which as Troll seems to be your primary language is probably not surprising.

[jaromanda]

Quote:

Originally Posted by Third_of_Five

Waste of effort conversing with you

and yet, here you are

Quote:

Originally Posted by Third_of_Five

as there seems some kind of language barrier, as you continually misinterpret plain English,

let me type it out SLOWLY for you

I never claimed you told me to STFU ... I was not rude or disrespectful to you until you basically told me to stop posting

not ONE admin/mod has corrected any points in any of my posts

why do you think that is?

because it's COMMON SENSE

[jaromanda]

http://forums.shoutcast.com/online.p...members&pp=200

ROFL

look at all the users in the control panel

hardly any are bitchin an moanin in this thread

[labratofel]

Quote:

Originally Posted by jaromanda

http://forums.shoutcast.com/online.p...members&pp=200

ROFL

look at all the users in the control panel

hardly any are bitchin an moanin in this thread

Yeah they are too busy changing their passwords.

[jaromanda]

Quote:

Originally Posted by labratofel

Yeah they are too busy changing their passwords.

yeah, because it takes HOURS to do that

[osmosis]

As I understand it, the MD5 hashes which *MAY* have also been taken in addition to the emails (as written in the security bulletin), could be used to generate a collision (ie. something which has the same hash) and that could be used to login to your Winamp Forums account.

The odds of the collision being your actual password are minimal so your password will most likely be safe on other sites unless they also use MD5 hashes, but to err on the side of caution we've all been advised to change passwords on other sites if it's the same. At the very (very) least your Winamp forum password should be changed.

Hope that helps anyone who's still a bit confused.

[labratofel]

MD5 Rainbow tables.
Ask google about them.

Says it all really.

[jaromanda]

Quote:

Originally Posted by osmosis

Hope that helps anyone who's still a bit confused.

I'll take "Common Sense on the Internet" for 400, please, Alex